8.1.3 Configuring syslog - remote messages

Information

This recommendation prevents the local syslogd daemon from accepting messages from other hosts on the network.

Rationale:

Apart from a central syslog server, all other hosts should not accept remote syslog messages. By default the syslogd daemon accepts all remote syslog messages as no authentication is required. This means that a hacker could flood a server with syslog messages and potentially fill up the /var filesystem.

Solution

If the server does not act as a central syslog server, suppress the logging of messages originating from remote servers:

chssys -s syslogd -a '-r'

Re-cycle syslogd to activate the configuration change:

stopsrc -s syslogd
startsrc -s syslogd

Default Value:

Not configured

Additional Information:

Reversion:

Remove the suppression of remote syslog messages:

chssys -s syslogd -a ''

Re-cycle syslogd to activate the configuration change:

stopsrc -s syslogd

startsrc -s syslogd

See Also

https://workbench.cisecurity.org/benchmarks/7851